b'         AUDIT REPORT \n\n    INFORMATION SYSTEM CONTROLS \n\nAT THE NATIONAL AIR AND SPACE MUSEUM \n\n\n             Number A-03-08 \n\n\n            September 3,2003 \n\n\x0c                                        SUMMARY \n\n\nThe Office of the Inspector General audited information system controls at the National\nAir and Space bluseum (NASM). The purpose of the audit was to establish a system\nsecurity baseline by evaluating information system controls regarding systenl access, server\nand network security, and p l~ysicalconditions.\n\nThe following points were collsidered throughout our audit. Adequate security of\ninformation resource systelns is a fundamental management responsibility. Of necessity,\nmanagement must make a reasonable balance between information technology security\nand operational capability.\n\nOverall, some controls adequate to provide reasonable security of information resources\nwere in place regarding system backup. The servers that the Information Technology\nDepartment administered were up-to-date with critical security patches and hot futes.\nHowever, system security could be strengthened for some computers not completely\nadministered by the Information Technology Department. It is Smithsonian policy, as\nwell as good business practice, that controls be established to maintain accountability for\nthe custody and use of resources and to provide reasonable assurance that assets are\nsafeguarded against loss or unauthorized use. Therefore, we made the following\nrecommendations to the Director, NASM that include improving systems security and\ngeneral system controls:\n\n    1.\t Establish a process to perform periodic reviews of server configurations to ensure\n         necessary patches and hot fixes are up-to-date.\n    2. \t Evaluate system resources and remove unnecessary accounts.\n    3. \t Perform system port scans and determine if open ports on servers and.work\n         stations are necessary. If not, close all unnecessary ports.\n    4. \t Relocate the NASM Internet website to the Institution\'s secured web hosting\n         location.\n    5. \t Delineate clear information system administration responsibility across NASM to\n         the NASM Information Technology Department.\n    6. \t Assess NASM computers and remove all unnecessary computers attached to the\n         Smithsonian Institution networ-k.\n    7. \t Review the use of non-Smithsonian standard supported e-mail applications.\n    8. \t Consider reallocating computer resources from the Information Technology\n         Department computer room to the more operationally equipped computer facility\n         within Center for Earth and Planetary Studies.\n\nThe Director, NASM concurred with most of the audit recommendations. Overall, we\nbelieve that the corrective action taken and planned is responsive to the\nrecommendations. We ask the Director to reevaluate the necessity of the over-capacity\ncomputers within the Center for Earth and Planetary Studies unit and address who is\nresponsible for their administration.\n\n\n\n                                                        I Y ~ f f i #of the lnsp&tor General\n\x0c                                                TABLE OF CONTENTS\n\n\n\n1. Introduction .....................................................................................................................................\n                                                                                                                                                  1\n\n\n       A. Purpose ...................................................................................................................................\n                                                                                                                                                   1\n\n\n       B. Scope and Methodology ......................................................................................................... \n 1\n\n       C. Background .............................................................................................................................\n                                                                                                                                                1\n\n\n2. Results of Audit ................................................................................................................................\n                                                                                                                                                 2\n\n\n       NASM Information System Security ..........................................................................................\n                                                                                                                                2\n\n\nTable.     ...................................................................................................................................................\n\n                                                                                                                                                    3\n\nAppendix A. Policies and Industry Standards ....................................................................................\n                                                                                                                              7\n\n\nAppendix B. Management Comments                            ...........................................................................................9 \n\n                                          ABBREVIATIONS AND ACRONYMS\n\n                   CEPS              Center for Earth and Planetary Studies \n\n                   CIS               Center for Internet Security \n\n                   IT                Information Technology \n\n                   NIST              National Institute of Standards and Technology \n\n                   OCIO              Office of the Chief Information Officer \n\n                   NASM              National Air and Space Museum \n\n                   SD                Smithsonian Directive \n\n                   SI                Smithsonian Institution \n\n\x0c                                   INTRODUCTION\n\nA. Purpose\n\nThe purpose of the audit was to establish a system security baseline by evaluating NASM\ninformation system controls for systems access, server and network security, and physical\nsecurity.\n\nB. Scope and Methodolog\n\nThe audit was conducted from April 8,2003, to August 7,2003, in accordance with\ngenerally accepted government auditing standards. The audit methodology consisted of\nthe following:\n\n       Identifying and reviewing applicable Institution policies and procedures related to\n       system general controls, computer system security and the integrity of computer\n       resources.\n       Comparing NASM\'s system security setting with industry and Institution\n       standards.\n       Evaluating controls to safeguard and protect networks.\n       Assessing the adequacy of controls to prevent and detect unauthorized activities\n       including external intrusions, theft, or misuse of computers and networks.\n       Utilizing guidance issued by the National institute of Standards and Technology,\n       National Security Agency, and Microsoft Corporation relating to system security\n       configuration.\n\nWe reviewed the following:\n\n       Policies, procedures, and controls relating to system security and data integrity.\n       Controls over server and network configurations.\n       Controls to prevent and detect unauthorized activities.\n\nAs part of our review, we conducted interviews with NASM technology and\nadministrative staff. We spoke with staff from the NASM Information Technology\nDepartment and NASM facilities staff. Through interviews, we gained an understanding\nof the practices employed concerning system configuration, network security, and system\naccess.\n\nC. Background\n\nThe Smithsonian National Air and Space Museum was established to memorialize the\ndevelopment of aviation; collect, preserve, and display aeronautical equipment; provide\neducational material for the study of aviation; and to commemorate the development of\nair and space flight.\n\x0cReview of NASM Information Systems\n\nInformation system security controls can be strengthened within NASM. Specifically,\n\n        Some Microsoft Windows server configurations were not up-to-date and did not\n        meet industry standards.\n        Computer access controls were weak.\n        Unnecessary computers with vulnerable open ports were kept on the SI network.\n        A publicly accessible website was not located within the secured SI Web hosting\n        location.\n        ~ 0 ~non-Smithsonian\n                  3 \'            supported e-mail systems are being used.\n        Underutilized computer facilities are attached to the SI network.\n\nThese weaknesses exist because there is no clear delineation and understanding of system\nadministration responsibilities among the different NASM functional units. In addition,\nthere has not been a process put in place for evaluating and removing unnecessary access\naccounts on servers or staff computers. The lack of clear system administrative\nresponsibilities puts NASM system resources at risk to unauthorized, undetected access,\nand alteration. In addition, clear responsibilities for system administration and\noptimizing computer facilities will strengthen NASM information technology (IT)\nsecurity, improve efficiencies, and possibly save funds when future expansions are needed.\n\nDetails of Review\n\nWe evaluated NASM system configurations that included server and sub-network\nsecurity. NASM operates in a mixed server operating system environment that includes\nNovell, IBM Domino, and Microsoft Windows. Under the system configuration that\nexisted at the time of our audit, we determined that some NASM servers and client\nsystems were vulnerable and should be strengthened to meet industry standard security\n recommendation^.^^ Specifically,NASM Information Technology Department\nperformed system administration for the Novell and IBM Domino servers. We\ndetermined that these machines were up-to-date with the respective service packs and hot\nfixes.4 For three Windows servers, we determined that the system administration\nfunctions for these machines were not clearly defined between the application users and\nthe Information Technology Department. As a result, these computers\' security\nconfigurations were not fully up-to-date.\n\n\n\n\n POP3 is an acronym for Post Ofice Protocol 3, a protocol used to retrieve e-mail from a mail server.\n We used the Center for Internet Security (CIS) scoring tool as a basis to evaluate each Microsoft Windows\nNT and Windows 2000 server. The tool produces a score by applying the "Windows Security Scoring Tool"\nwhich is a number between one and ten, with ten being the most secure.\' For non-Windows operating\nsystems we obtained from the respective company websites the latest operating system levels and associated\nhot fixes and service packs.\n The scoring tool criteria are divided into for categories: (1) service packs and hot fixes, (2) policies, (3)\nsecurity settings, and (4) available services and other system requirements.\n For non-Windows operating systems we obtained from the respective company websites the latest\noperating system levels and associated hot fixes and service packs.\n\x0cThe following table reflects the status of the three Microsoft Windows operating system\nservers and their respective up-to-date patches and hot fures.\n\n\nNumber of Missing Hot\nFixes and Patches                   18             0             23\nMissing Service Packs               0              0              0\nCIS Score                          3.8            7.5            3.8             4.7\n\nThe failure to keep servers up-to-date is easily mitigated by maintaining and updating\napplications with the latest hot fixes, patches, and service packs. According to the NIST,\nkeeping applications up-to-date is critical to maintaining the operational availability,\nconfidentiality, and integrity of system resources.\n\nNASM network analyses determined that many NASM server and client workstations\ncould be subject to unauthorized access due to weak access controls. We were able to\nidentify NASM computers that contained several vulnerable administrative accounts\nwhich could give full access to the computers. During the audit we brought this to the\nattention of the Information Technology Department staff. The Information Technology\nDepartment staff immediately developed a plan to address the weaknesses and correct this\nvulnerability. Also, we determined that a NASM unit was using POP3 e-mail applications\nand not the Institution standard e-mail application. POP3 e-mail systems can add\nadditional administrative overhead and often are difficult to configure to communicate\neffectively with the standard NASM or SI e-mail system.\n\nIn addition, our network scans identified numerous servers including the NASM external\nweb server with ports that are vulnerable to denial of service attacks. Also, the NASM\nexternal web server was located within the SI intranet and not within the special network\nprotected zone identified for Institution website hosting. We also identified numerous\nUNIX computers that were connected to the SI network that had no apparent use. These\nmachines were being used by the NASM Center for Earth and Planetary Studies for\nelectronic file storage. However, our evaluation determined the computers memory was\nat capacity and there were many vulnerable open ports without clear IT administrative\noversight.\n\nWe determined through physical evaluations of NASM IT facilities that the Information\nTechnology Department\'s computer room was not designed as a computer room. The\ncomputer room consisted of a room and closet that were converted to make a computer\nroom facility. There was no raised floor, it was cramped, and it was difficult for more\nthan two administrators to work effectively within the room. However, NASM does have\na room that was designed to be a computer room facility that is not being fully utilized.\nThis computer room is located within the Center for Earth and Planetary Studies. A\nreview of the room during the audit determined that there was an apparent lack of\nhousecleaning within the room. The underutilization is because the computer room is\nlocated within another NASM unit\'s area and not where NASM IT administrators reside.\nOptimizing the computer room for dedicated NASM IT administration will improve\nefficiency and operations for IT administration and prevent unnecessary resource\nexpenditures for building or room modifications.\n\x0cBased upon our reviews, these weaknesses exist because there is no clear delineation and\nunderstanding of system administration responsibilities among the different NASM\nfunctional units. In addition, there has not been a process put in place for evaluating and\nremoving unnecessary access accounts on servers or staff computers. As a result, system\nresources are vulnerable to unauthorized and undetected access. Implementing the\nrecommendations can improve NASM system weaknesses and improve its current state.\n\nRecommendations\n\nI. We recommend that the Director, National Air and Space Museum ensure that his\nstaff establish a periodic process to perform periodic reviews of server configurations to\nensure patches and hot fures are up to date and necessary.\n\nManagement Comments\n\nConcur. For all network-dependent systems, every three months NASM will review and\nupdate server configuration. For services that do not reside on the NASM network,\nincluding those that support CEPS operations, we will upgrade as necessary. Many non-\nresident research systems will be phased out when the software is retired.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. The recommendation is\nclosed.\n\n2. We recommend that the Director, National Air and Space Museum, ensure that his\nstaff evaluate system resources and remove unnecessary accounts.\n\nManagement Comments\n\nConcur. Unnecessary accounts have already been removed and system resources will be\nreevaluated on a three month schedule.\n\nOfice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. The recommendation is\nclosed.\n\x0c3. We recommend that the Director, National Air and Space Museum, ensure that his\nstaff performs system port scans and determine if open ports on servers and work stations\nare necessary and close all unnecessary ports.\n\nManagement Comments\n\nConcur. NASM will on a quarterly basis scan all ports and close all unnecessary ports on\nits workstations and servers.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. The recommendation is\nclosed.\n\n4. We recommend that the Director, National Air and Space Museum, ensure that his\nstaff relocate the NASM Internet website to the SI secured web hosting location.\n\nManagement Comments\n\nPartially Concur. NASM is reexamining the alternatives of maintaining the current\narrangement with movement into OCIO\'s DMZ (secured web hosting location).\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. The recommendation will\nremain open until NASM\'s examination is complete or the NASM\'s Internet web site is\nrelocated to the secured web hosting location referred to as the DMZ.\n\n5. We recommend that the Director, National Air and Space Museum, ensure that his\nstaff delineate clear information system administration responsibility across NASM to the\nNASM Information Technology Division.\n\nManagement\n    -      Comments\n\nConcur. NASM will issue a policy describing the responsibilities of the information\ntechnology department and its relationship to organizations that have specific\ninformation technology requirements.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. The recommendation is\nopen until the policy is formalized and distributed within NASM.\n\n6. We recommend that the Director, National Air and Space Museum, ensure that his\nstaff assess NASM computers and remove all unnecessary computers attached to the SI\nnetwork.\n\x0cManagement Comments\n\nNon-Concur. All NASM computers are used by staff, researchers or volunteers, and are\nconsidered necessary. There are some systems that are designed for single, scientific\npurposes only, and may not be used on a consistent basis. However, they are core\nelement of our scientific mission and should remain part of NASM\'s computer\ncomplement.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are not responsive to that recommendation. We identified during\nthe audit computers where staff clearly stated there was no apparent use and could be\nremoved from the NASM network. Some computers were removed and others, we were\ntold, would be removed. These computers also had numerous open vulnerable ports, and\nmemory was at capacity thereby making the systems unstable. If these machines are\ncritical to NASM researchers then some level of system administration was lacking and is\nneeded. The recommendation will remain open and we ask the Director to reevaluate the\nrecommendation and evaluate the computers within the Center for Earth and Planetary\nStudies (CEPS) computer room to determine if their function is clearly needed under\ntheir current configuration. In addition, a clear understanding of who is responsible for\nadministration of CEPS computers is required.\n\n7. We recommend that the Director, National Air and Space Museum, ensure that his\nstaff review the use of non-Smithsonian standard supported e-mail applications.\n\nManagement Comments\n\nThe POP3 e-mail system provides NASM\'s scientists flexibility that is not found in other\nsystems. Information Technology approved its use in 1999.\n\nOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation. Since Information\nTechnology has approved the use and therefore accepted the nonconformity and\nadditional administration the recommendation is closed.\n\n8. We recommend that the Director, National Air and Space Museum, ensure that his\nstaff consider reallocating computer resources from the Information Technology\nDepartment computer room to the more operationally equipped computer facility within\nCenter Earth Planetary Studies.\n\nManagement Comments\n\nPartially-Concur. NASM is currently reconfiguring its existing computer facility to meet\nexpanded requirements. In addition, the Center for Earth and Planetary Studies room\nwould need an equivalent level of outfitting to meet system requirements already in place\nin the current computer facility. If the computer facility is to be moved, we would prefer\nto configure the new space that will open when the cooling tower is removed from\nNASM\'s third floor.\n\x0cOffice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendations. The recommendations\nwill remain open until a more detailed cost-benefit analysis is performed which supports\nrelocation or a facility modification.\n\x0cAppendix A. Policies and Industry Standards\n\nWe evaluated NASM system security during April 8,2003, through August 7,2003. We\nused Smithsonian Directives as well as industry guidance and standards from the National\nInstitute of Standards and Technology, General Accounting Office, National Security\nAgency, Microsoft Corporation, Novel1 Corporation and the IBM Corporation. The\nevaluation included a review of operating system configurations, server configurations,\nuser accounts, network ports, and vulnerable services.\n\nSmithsonian Directive 115, Management Controls, revised July 23, 1996, lists standards\nthat shall apply to all Institution units. The directive requires managers to take systematic\nand proactive steps to develop and implement appropriate, cost-effective management\ncontrols. These controls should provide reasonable assurance that assets are safeguarded\nagainst waste, loss, unauthorized use, and misappropriation.\n\nSmithsonian Institution, Technical Reference Model, Version 1.0, December 2001, IT-920-\n01, applies to program area and technical managers, and others responsible for\ninformation technology systems and services. Compliance is required unless explicitly\nwaived by the Chief Information Officer. The Technical Reference Model recognizes that\nthe institution is composed of varied hardware and software products that in many cases\nare incompatible. The heterogeneous nature of the institution\'s technology infrastructure\nhas constrained its ability to introduce new technology. The Technical Reference Model\nattempts to address this problem through establishing a consistent information and\ncommunication services throughout the Institution. A standards approach will provide\nthe ability to update and replace technology in a more cost-effective manner. The\nTechnical Reference Model identifies Groupwise or Lotus Notes as the preferred e-mail\ncommunication standard.\n\nGAO, Financial Information Systems Control Audit Manual, January 1999, provides\nguidance in evaluating computer related controls. The guidance describes access controls\nto provide reasonable assurance that computer resources are protected against\nunauthorized modifications, disclosure, loss, or impairment. Such controls include\nphysical controls such as locking computer rooms to limit access. Inadequate access\ncontrols diminish the reliability of computerized data and increase the risk of destruction\nor inappropriate disclosure of data.\nNational Security Agency (NSA) Research Study by Trusted Systems Services, Windows NT\nSecurity Guidelines Considerations & Guidelines for Securely Configuring Windows NT\nin Multiple Environments, 1999, provides guidelines for countering known attacks on\nWindows NT installations that expose or modify user data maliciously. The goal is to\nmake Windows NT as secure as reasonably and practically possible. Implicit in the\nguidelines is the understanding that recommendations must be both effective against\ncertain threats and also practical. A balance is necessary between security and operations\nbecause some controls impede operational capability.\n\nNSA, Guide to Securing Microsoft Windows NT Networks, 2001, identifies a variety of\navailable Windows NT 4.0 security mechanisms and provides steps or measures for their\nimplementation. The guide provides a solid security foundation for any Windows NT 4.0\nnetwork by offering step-by-step instructions on how to utilize the operating system\'s\nbuilt-in security features, additional add-on service packs, and hot fixes.\n\x0cMicrosoft White Paper, Securing Windows NT Installation, 1997, states the default, out-of-\nthe-box NT configuration is unsecured. This white paper discusses various security issues\nwith respect to configuring all Windows NT operating system products for a highly secure\ncomputing environment.\n\nNational Institute of Standards and Technology (NIST) Special Publication 800-18, Guide\nfor Developing Security Plansfor Information Technology Systems, December 1998, states\nthat the objective of system security planning is to improve the protection of information\ntechnology resources. All federal systems have some level of sensitivity and require\nprotection as part of good management practice. According to NIST, system security\nplans should document the protection of the system. Additionally, the completion of\n system security plans is a requirement of the Office of Management and Budget Circular\nA-130, Management of Federal Information Resources, Appendix 111, Security of Federal\nAutomated Information Resources, and Public Law 100-235, Computer Security Act of 1987.\n The purpose of the security plan is to provide an overview of the security requirements of\n the system and describe the controls in place for meeting those requirements. The system\n security plan also delineates responsibilities and expected behavior of all individuals who\n access the system.\n\nThe NIST special publication, Generally Accepted Principles and Practices for Securing\nInformation Technology Systems, September 1996, provides instructions,\nrecommendations, and considerations for government computer security. According to\nNIST guidance, security policies and procedures should be in place to protect valuable\nresources, such as information, hardware, and software. The security program should\nallow for periodic assessments and should ensure that personnel understand their\nrespective responsibilities.\n\x0cAppendix B. Management Comments\n\n\n\n\n  O                Smithsonian\n                   National Air-and Space Museum\n                   Office of the Director \t                                                          MEMO\n\n      l>atc     August 29,2003\n        TO \tTholnas        Blair \n\n                   Inspector General \n\n        CC. \t   Dennis Shaw \n\n                Chief Information Ofticer \n\n     F ~ ~ I I I.I.R. Dailey \n\n                   Director \n        $69-;J\n   Subject \t       Draft Report on Audit of Information Systems Security Controls at the National Air and\n                   Space Museum\n\n                         Thank you for the opportunity to review your evaluation of thc National Air and\n                   Space Museuln\'s infonnation systems security. We concur with Inany of your\n                   rccomrnendations; however there are sonic areas that should bear further examination.\n                           Recolntnendation # I : Establisli a periodic process to pertbmi periodic reviews of\n                   server contiguration to ensure patches and hot tixes are up to date and necessary.\n                            Response #I : For all network-dependent systems, every three months NASM will\n                   review and update server configurations. For servcrs that do not reside on the NASM\n                   network, including tliose that suppol* CEI\'S operations, wc will upgrade as necessary.\n                   Many of the non-resident research systems will be phased out when the software is\n                   retired.\n                         Recommendation #2: Evaluate systems resources and ranove unnecessary\n                   accounts.\n                         Response #2: This has already been done and will he reevaluated on a three-\n                   month schedule.\n                           Recoln~nendation#3: Perform system port scans and detennine if open ports on\n                   servers and workstations are ncccssaly. If riot. close unnecessary ports.\n                           Response #3: Quarterly NASM will scan all ports and close all unnecessaly ports\n                   on its workstations and servers.\n                          Recommendation #4: Relocate the NASM Internet website to the SI secured weh\n                   hosting location.\n                          Response #4: We are examining the alternatives of maintaining the current\n                   arrangement with movement into OClO\'s DMZ.\n\n                   SMITHSONIAN INSTITUTION\n                   Nat~onalAir and Space Museum \n\n                   Independence Avenue at Sixth Street SW \n\n                   P.O.Box 37012\n                   Washington DC 20013-7012\n                   202.633.2350 Telephone \n\n                   202.357.2426 Fax \n\n\x0c       Recommendation #5: Delineate clear infonnation systems administrator\nresponsibilities across NASM to the NASM lnfonnation Technology Division.\n        Response #5: NASM will issue a policy describing the responsibilities of the\nInformation Technology Department and its relationship to organizations that have\nspecific infonnation technology requirements.\n      Recomnlendation #6: Assess NASM computers and remove all unnecessary\ncomputers attached to the SI network.\n        Response #6: All NASM computers are used by staff, researchers or volunteers.\nand are considered necessary. There are some systems that are designed for single,\nscientific purposes only, and may not be used on a consistent basis. However, they are a\ncore element of our scientific mission and should remain part of NASM\'s computer\ncomplement.\n       Recommendation #7: Review the use of non-Smithsonian standard supported e-\nmail applications.\n         Response #7: The POP-3 e-mail system provides NASM\'s scientists flexibility\nthat is not found in other systems. lnfonnation Technology approved its use in 1999.\n         Recommendation #8: Consider reallocating computer resources tivm Information\nTechnology Department computer room to the more operationally equipped computer\nfacility within the Center for Earth and Planetary Studies.\n        Response #8: NASM is currently reconfiguring its existing computer facility to\nmeet expanded requirements. In addition, the Center for Earth and Planetary Studies\nroom would need an equivalent level of outfitting to meet system requirements already in\nplace in the current computer facility. If the computer facility is to be moved, we would\nprefer to configure the new space that will open when the cooling tower is removed from\nNASM\'s third floor.\n\x0c'